Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
APA Update
CUAV Annual Conference_____________________________________May 1, 2017Martha S. MavredesEric M. SandridgeAuditor of Public Accounts
Discussion Areas
• Internal happenings at APA• 2017 Legislative Session• New Standards
– GASB Standards 74 and 75– Draft of Yellow Book– U.S. Department of Education– GASB Standards 72 and 81
Page 2WWW.APA.VIRGINIA.GOV
Discussion Areas
• Audit Results– C&U findings (non IT and IT)– SIF at UVA– Travel Study
• Common areas reported involving frauds
Page 3WWW.APA.VIRGINIA.GOV
INTERNAL HAPPENINGS AT APA
Page 4WWW.APA.VIRGINIA.GOV
Internal Happenings at APA
• Peer review upcoming Spring 2018• Chair of the Board of VSCPA• Strategic Plan developed for 2015 – 2020
– Established values for the first time– Four strategic goals
Page 5WWW.APA.VIRGINIA.GOV
Page 6WWW.APA.VIRGINIA.GOV
VALUES
Strategic Goals
• STRATEGIC GOAL #1: Build Our Culture – Continue to build an internal culture aligned
with our core values to guide how we approach our work, internally and externally, and to shape our brand with clients.
• STRATEGIC GOAL #2: Strengthen and Retain Our Staff – Increase our investment in developing the APA
team, with an emphasis on developing current and future leaders, and recruiting and retaining the best talent.
Page 7WWW.APA.VIRGINIA.GOV
Strategic Goals, continued
• STRATEGIC GOAL #3: Be A Leader in the Profession – Be a leader in the profession by remaining
current and innovative in our work and practices.
• STRATEGIC GOAL #4: Communicate Our Value – Strengthen our relationships, emphasize our
value, and enhance the ability of our stakeholders to utilize our work to make better decisions.
Page 8WWW.APA.VIRGINIA.GOV
2017 LEGISLATIVE SESSION
Page 9WWW.APA.VIRGINIA.GOV
2017 Legislative Session – bills not passed
• HB 1892 – Miyares– Governing board of public institution of higher
education; independent audit.
• SB 952 – DeSteph– False statements to members of the General
Assembly; state employees and appointees.
Page 10WWW.APA.VIRGINIA.GOV
2017 Legislative Session – bills passed
• HB 2171 Massie– Public institutions of higher education; annual
report; investments.
• HB 2436 – Davis / SB 1307 – Vogel– Auditor of Public Accounts; online database,
register of funds expended.
• HB 2391 Holcomb / SB 1293– DHRM; criminal background checks; state
agency positions designated as sensitive; agencies to report to the Department.
Page 11WWW.APA.VIRGINIA.GOV
2017 Legislative Session – bills passed continued
• HB 2366 Albo / SB 1129 Ruff– Public procurement; requirements for use of
construction management and design-build procurement methods.
Page 12WWW.APA.VIRGINIA.GOV
NEW STANDARDS
Page 13WWW.APA.VIRGINIA.GOV
New Standards: OPEB
• GASB 74 – Plan accounting effective for FYE 2017
• GASB 75 – Employer accounting effective for FYE 2018
• Plans operated at State Level– Group Life– Pre-Medicare Retiree Health Care– Retiree Health Insurance Credit– Line of Duty Death and Disability– Disability Insurance Trust Fund
Page 14WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book
• ED comment period ends July 6, 2017• No effective date yet• Overall Changes
– Revised format to differentiate requirements and application guidance
– Chapters reorganized and realigned– Supplemental guidance from the appendix of
the 2011 revision either removed or incorporated into individual chapters
Page 15WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Two
General Requirements for Complying with Government Auditing Standards
– Guidance is expanded to explain that for financial audits, attestation engagements, and reviews of financial statements, GAGAS does not incorporate the American Institute of Certified Public Accountants Code of Conduct by reference but recognizes that certain certified public accountants (CPA) may use or may be required to use the code in conjunction with GAGAS. (2.13)
Page 16WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Three
Ethics, Independence, and Professional Judgment
– Independence requirements of the auditor when the engaging party differs from the responsible party (3.24)
– Guidance is added to address situations in which government auditors work in conditions that do not permit independence (3.25)
– Auditors reevaluate threats to independence whenever the audit organization becomes aware of new information or changes in facts and circumstances. (3.29)
Page 17WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Three, cont.
– Additional guidance related to professional services in government (3.80)
– Any services performed by auditors related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.88, create significant threats to auditors’ independence (3.89)
Page 18WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Four
Competence and Continuing Professional Education
– Requires that management assign auditors to conduct an engagement who possess the competence needed for their assigned roles at the time of their assignment. (4.03)
• Levels of Proficiency (4.09 – 4.10)• Competence of Specialists (4.12 – 4.14)
Page 19WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Four cont.
– The requirements for continuing professional education (CPE) are revised to promote greater proficiency in GAGAS. This includes the following: • Introducing a new 4-hour requirement in GAGAS
topics, to be required each time a new version of GAGAS is issued. (4.15 - 4.17)
• Providing application guidance concerning the topics required by the 80-hour GAGAS CPE requirements. (4.21 - 4.25)
• Detailing exemptions that may be granted to auditors in certain circumstances. (4.26 - 4.30)
Page 20WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Five
Quality Control and Peer Review – Requires that audit organizations at least
annually obtain written affirmation of compliance with policies and procedures on independence from all audit organization personnel required to be independent. (5.09)
Page 21WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Five cont.
– Requirements are added and guidance is provided for engagement performance, documentation, and reporting, including requirements for policies and procedures pertaining to the review and supervision of engagement work performed by the engagement team. (paras. 5.20 through 5.41)
Page 22WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Five cont.
– Require that audit organizations affiliated with a recognized organization comply with the respective organization’s peer review requirements and additional GAGAS peer review requirements. (5.64)
– Standard is modified for audit organizations not affiliated with recognized organizations (5.65)
• Review documentation of terminated engagements• Review prior peer review reports
Page 23WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter 6, 7, 8, 9
• Waste (6.16, 6.35, 6.39, 7.18, 7.41, 7.42, 7.73, 7.84, 8.69, 9.32, 9.33)– Perform procedures to determine potential effect– Report findings if material effect on financial
statements or if material and significant effect on audit objectives
– Communicate findings in writing if not material but warrant attention of those charged with governance
• Cause of identified findings (6.20, 7.22, 8.115)– Consider potential internal control deficiencies
Page 24WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Eight
• Fieldwork Standards for Performance Audits – Management assertions are not required for
performance audits (8.14) – Discussion of suitable criteria (8.17 – 8.19)– Internal control requirements and guidance are
updated to align with revised Green Book (8.37 –8.65)
Page 25WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter Nine
Reporting Standards for Performance Audits– Requires that audit organizations that meet the
independence requirements for internal auditors include in the GAGAS compliance statement, where applicable, a statement that they are independent per the GAGAS requirements for internal auditors (9.03)
– Requires that when internal control is significant within the context of the audit objectives, auditors include in the audit report discussion of how the auditors considered the concept of accountability for use of public resources and government authority while assessing audit risk associated with internal control (9.24)
Page 26WWW.APA.VIRGINIA.GOV
New Standards: Yellow Book Chapter 9 cont.
– Requires that auditors indicate in their report that the audit did not consider all internal control components if internal control that is significant to the audit objectives does not include all internal control components and underlying principles. (9.25)
Page 27WWW.APA.VIRGINIA.GOV
Dept. of Education Update
• 2017 draft of the Compliance Supplement included two new substantial requirements
• Proposed Requirement #1:– Audit financial aid at all institutions every year– Meets compliance audit requirement
established in 34 CFR 668.23– Single Audit must audit SFA each year, despite
regulations for selecting Major Programs provided by Uniform Guidance 2 CFR 200
Page 28WWW.APA.VIRGINIA.GOV
Dept. of Education Update cont.
• Final Language Requirement #1:– Final Compliance Supplement removed this
language– Single Audit major program determinations for
financial aid will follow Uniform Guidance – Financial Aid will be major program for FY18
• Most four year institutions with significant Pell and Direct Loan activities will be tested, along with TCC and NVCC
– Test work to start in Spring 2018 and finish during Fall 2018
Page 29WWW.APA.VIRGINIA.GOV
Dept. of Education Update cont.
• Audit of financial aid for Single Audit purposes will happen once every three years unless the cluster becomes high risk
• We plan to audit financial aid during reaccreditation cycles for those institutions not included during Single Audit
• Limited procedures will also be performed during financial statement audits
Page 30WWW.APA.VIRGINIA.GOV
Dept. of Education Update cont.
• Proposed Requirement #2:– Add Special Test and Provision #4 governing
compliance with the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule (16 CFR 314)
– Concerns from audit community regarding the scope of this testing related to information security, including whether this testing would require us to issue an opinion on internal control
Page 31WWW.APA.VIRGINIA.GOV
Dept. of Education Update cont.
• Final Language Requirement #2:– Significantly reduces the requirements in final
proposed language• Verify the institution has an individual responsible
for its information security program• Obtain the institution’s risk assessment and ensure
it addresses the requirements of 16 CFR 314.4(b)• Verify that the institution has identified a safeguard
for each risk identified in its risk assessment
– Will be delayed until fiscal year 2018
Page 32WWW.APA.VIRGINIA.GOV
Other Federal Audit Information
• The Research and Development (R&D) Cluster will be in-cycle as a major program for FY17 audits
• Internal control and compliance testing will be performed at the following institutions in Summer/Fall 2017:– UVA– VCU– VT
Page 33WWW.APA.VIRGINIA.GOV
Results of GASB 72 Implementation
• Variety of practices in investment management result in different scenarios for reporting under GASB 72
• Classification of investments as Level 1, Level 2, or Level 3– Level 2 and Level 3 classifications require
additional audit testing due to judgment used in valuing these assets
• Definition of an investment resulted in reclassifications of certain items
Page 34WWW.APA.VIRGINIA.GOV
Other Upcoming Standards
• GASB 81 – Irrevocable Split Interest Agreements– Effective for fiscal year 2018– Establishes requirements for agreements
where a donor irrevocably transfers resources to an intermediary who administers the resources for the unconditional benefit of a government/institution and at least one other beneficiary
Page 35WWW.APA.VIRGINIA.GOV
AUDIT RESULTS
Page 36WWW.APA.VIRGINIA.GOV
Common Federal Findings
• Enrollment Reporting• Reconciliation of Direct Loans• Returning Unclaimed Aid• Notifying Students of Awards• Return to Title IV calculations
Page 37WWW.APA.VIRGINIA.GOV
Financial/Business Process Findings
• VNAV Reconciliation• Sole Source Contracts• Auxiliary Management• Physical Inventory Process• Timesheet Approval Process
Page 38WWW.APA.VIRGINIA.GOV
Information Systems Security
5
9
Recent Audits of14 Colleges and Universities
Had No ISS Recommendations Had ISS Recommendations
Page 39WWW.APA.VIRGINIA.GOV
Information Security Standards
• ISO/IEC 27002• NIST Special Publication 800-53• CIS Critical Security Controls• Commonwealth’s SEC501
Page 40WWW.APA.VIRGINIA.GOV
Information Security Deficiency Control Families
Page 41WWW.APA.VIRGINIA.GOV
12
4
3
3
3
3
3
2
0 2 4 6 8 10 12 14
Access Controls
System and Services Acquisition
Audit and Accountability
Awareness and Training
System and Information Integrity
Configuration Management
Identification and Authentication
Information Security Roles and Responsibilities
Number of Institutions with Control Family Deficiencies
Page 42WWW.APA.VIRGINIA.GOV
7
3
3
3
3
2
2
2
0 1 2 3 4 5 6 7 8
Access Controls
System and Services Acquisition
Audit and Accountability
Awareness and Training
System and Information Integrity
Configuration Management
Identification and Authentication
Information Security Roles and Responsibilities
Takeaways from Strategic Investment Fund
• Heightened awareness from legislators, citizens, and other entities on institutional accumulation of resources and investment activities
• Required annual reporting of balances under HB2171
• Additional scrutiny over use of resources paired with history of increases in tuition rates
Page 43WWW.APA.VIRGINIA.GOV
Statewide Review of Travel Expenses – Part 2
• Higher education institutions and the Department of General Services should work together to develop cooperative approaches that will more fully maximize the state’s purchasing power and also leverage the travel management experience of the higher education institutions.
• Alternatively, cooperative contracting for areas of common need such as airlines or hotels should be considered.
Page 44WWW.APA.VIRGINIA.GOV
Statewide Review of Travel Expenses – Part 2, cont.
• The General Assembly should consider adding language to further require coordination between General Services and universities when considering cooperative procurements. – General Services’ enabling legislation (Code of
Virginia §2.2-1111) – Restructured Higher Education Financial and
Administrative Operations Act (Code of Virginia §23-38.110, or §23.3-1017 effective October 1, 2016)
Page 45WWW.APA.VIRGINIA.GOV
COMMON AREAS REPORTED INVOLVING FRAUDS
Page 46WWW.APA.VIRGINIA.GOV
Types of Frauds Reported
Purchasing, 5
Vendor Issues, 4Embezzlement, 3
Misuse of Institution
Resources, 3
Payroll, 2
# of Institutions
Purchasing Vendor Issues Embezzlement Misuse of Institution Resources Payroll
Page 47WWW.APA.VIRGINIA.GOV